Encryption

Pentestas uses field-level encryption for anything sensitive. Per-tenant keys ensure a database snapshot leak doesn't cross-contaminate.

Scheme

• Master key — server-wide key, stored in environment (MASTER_ENCRYPTION_KEY), rotated annually.
• Tenant keys — Fernet key generated per-tenant on first use. Stored encrypted with the master key in the tenants.encryption_key column.
• Field encryption — sensitive finding fields (evidence, request/response bodies, payload data) encrypted with the tenant's Fernet key before insert.

What's encrypted

What's not encrypted (by design)

• Finding titles / severity / CVSS — needed for filtering + indexes.
• Scan target URLs — needed for audit + quota.
• Agent keys on disk (agent side) — DPAPI (Windows) / file-perm 0600 (Linux).

Bring-your-own-key (Enterprise)

Enterprise customers can supply their own KMS root:

• AWS KMS — arn:aws:kms:…
• Azure Key Vault — URI + access policy.
• GCP Cloud KMS — resource path + SA.

With BYOK, the tenant's Fernet key is wrapped by your KMS, not Pentestas's. A KMS revocation immediately blacks out access to your findings without requiring our intervention.

Re-encryption on key rotation

When a tenant key rotates:

1. New Fernet key generated.
2. Background task re-encrypts every row for that tenant (UPDATE ... SET evidence = encrypt(decrypt(evidence, old), new)).
3. Old key kept for 7 days (defence against rotation mistakes).
4. After 7 days, old key is zeroised.

Rotation can be triggered manually by an admin or on a schedule.

Breach-glass

• We keep no plaintext backup of sensitive fields.
• A Pentestas admin with DB access cannot decrypt your data without the tenant Fernet key, which is itself encrypted with the master key that lives only in the production environment's secret store.
• BYOK customers have the final word — revoking the KMS grant immediately makes their data unreadable to us.

See also

• Plans and limits — encryption tier matrix
• Security overview